Secrets Store CSI Driver: Keeping Secrets Secret
Conference: KubeCon + CloudNativeCon Europe 2021
Authors: Anish Ramasekar, Tommy Murphy
Summary
The Secrets Store CSI Driver is a solution for securely retrieving and managing sensitive information from external secret stores in Kubernetes applications.
- Kubernetes secrets may not meet encryption requirements or integrate with existing third-party secret solutions
- Options for consuming external secrets include modifying applications, copying secrets to Kubernetes secrets, using a sidecar, or using the Secrets Store CSI Driver
- The Secrets Store CSI Driver is a pluggable, familiar file system mount experience that supports multiple external secret providers and can load new values of secrets throughout a pod's lifecycle
- The driver can sync mounted contents as a Kubernetes secret and supports automatic rotation of secrets
- An anecdote was given about using the driver to sync TLS certificates stored in Azure Key Vault for use by an ingress controller
Abstract
Applications running on Kubernetes require access to sensitive information (passwords, SSH keys and authentication tokens). But how do you configure your applications when the source of truth for these secrets is an external secret store? What if you need to store, retrieve and perform zero touch rotation of these secrets securely? Meet the Secrets Store CSI Driver, a sig-auth subproject providing a simple way to retrieve secrets from enterprise-grade external stores such as Azure Key Vault, Google Secret Manager and HashiCorp Vault. In this session, Anish and Tommy will demonstrate how to use the Secrets Store CSI Driver to mount and rotate sensitive information from external secrets stores in the Kubernetes application. They will also discuss trade-offs of the CSI driver versus other solutions to accessing external secret stores and how CRDs are used to make pod portability across Kubernetes environments possible.
Materials:
Tags: